[jboss-cvs] JBossAS SVN: r74801 - in projects/security/security-negotiation/trunk/docs/userguide/en: modules and 1 other directory.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Wed Jun 18 12:00:55 EDT 2008
Author: darran.lofthouse at jboss.com
Date: 2008-06-18 12:00:54 -0400 (Wed, 18 Jun 2008)
New Revision: 74801
Added:
projects/security/security-negotiation/trunk/docs/userguide/en/images/ad-ktab.png
projects/security/security-negotiation/trunk/docs/userguide/en/images/ad-setspn-list.png
projects/security/security-negotiation/trunk/docs/userguide/en/images/ad-setspn.png
Modified:
projects/security/security-negotiation/trunk/docs/userguide/en/modules/microsoft_ad.xml
Log:
[SECURITY-154] Additional active directory configuration steps.
Added: projects/security/security-negotiation/trunk/docs/userguide/en/images/ad-ktab.png
===================================================================
(Binary files differ)
Property changes on: projects/security/security-negotiation/trunk/docs/userguide/en/images/ad-ktab.png
___________________________________________________________________
Name: svn:executable
+ *
Name: svn:mime-type
+ application/octet-stream
Added: projects/security/security-negotiation/trunk/docs/userguide/en/images/ad-setspn-list.png
===================================================================
(Binary files differ)
Property changes on: projects/security/security-negotiation/trunk/docs/userguide/en/images/ad-setspn-list.png
___________________________________________________________________
Name: svn:executable
+ *
Name: svn:mime-type
+ application/octet-stream
Added: projects/security/security-negotiation/trunk/docs/userguide/en/images/ad-setspn.png
===================================================================
(Binary files differ)
Property changes on: projects/security/security-negotiation/trunk/docs/userguide/en/images/ad-setspn.png
___________________________________________________________________
Name: svn:executable
+ *
Name: svn:mime-type
+ application/octet-stream
Modified: projects/security/security-negotiation/trunk/docs/userguide/en/modules/microsoft_ad.xml
===================================================================
--- projects/security/security-negotiation/trunk/docs/userguide/en/modules/microsoft_ad.xml 2008-06-18 15:44:44 UTC (rev 74800)
+++ projects/security/security-negotiation/trunk/docs/userguide/en/modules/microsoft_ad.xml 2008-06-18 16:00:54 UTC (rev 74801)
@@ -130,20 +130,75 @@
<para>
After the user account has been created it needs to be mapped to a
- host account using the ktpass.exe command line utility included in
- the Windows 2003 Support Tools.
+ host account using the setspn.exe and ktpass.exe command line
+ utilities included in the Windows 2003 Support Tools.
</para>
<para>
+ The first utility to use is the setspn.exe utility installed with
+ the Windows 2003 support tools. Documentation for this tool is
+ available from Microsoft
+ <ulink
+ url="http://technet2.microsoft.com/windowsserver/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx?mfr=true">
+ http://technet2.microsoft.com/windowsserver/en/library/b3a029a1-7ff0-4f6f-87d2-f2e70294a5761033.mspx?mfr=true
+ </ulink>
+ </para>
+
+ <para>
+ You should execute the following two command to map the testserver
+ user to the correct service principals.
+ </para>
+
+ <programlisting><![CDATA[setspn.exe -a host/testserver.kerberos.jboss.org testserver
+setspn.exe -a HTTP/testserver.kerberos.jboss.org testserver]]></programlisting>
+
+ <figure id="ad-setspn">
+ <title>Set Service Principals</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata align="center" fileref="images/ad-setspn.png" />
+ </imageobject>
+ </mediaobject>
+ </figure>
+
+ <para>
+ The following command then can be used to list the mappings.
+ </para>
+
+ <programlisting>
+ <![CDATA[setspn.exe -l testserver]]></programlisting>
+
+ <figure id="ad-setspn-list">
+ <title>List Service Principals</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata align="center" fileref="images/ad-setspn-list.png" />
+ </imageobject>
+ </mediaobject>
+ </figure>
+
+ <para>
+ The next step is to use the ktpass.exe utility from the Windows
+ 2003 support tools and also the ktab.exe tool from the Java
+ installation to export the keytab.
+ </para>
+
+ <note>
+ <para>
+ This section needs some further consideration, it may be
+ possible to just use one of the commands.
+ </para>
+ </note>
+
+ <para>
The ktpass.exe command line utility takes the user created earlier
and maps it as a trusted host, in this case you would need to
execute the following command: -
</para>
<programlisting>
- <![CDATA[ktpass -princ host/testserver at kerberos.jboss.org -pass * -mapuser KERBEROS\testserver
--out C:\testserver.host.keytab]]>
- </programlisting>
+ <![CDATA[ktpass -princ host/testserver at kerberos.jboss.org -pass * -mapuser KERBEROS\testserver
+-out C:\testserver.host.keytab]]></programlisting>
<figure id="ad-command-ktpass">
<title>KTPass</title>
@@ -154,11 +209,27 @@
</imageobject>
</mediaobject>
</figure>
-
+
<para>
-
+ The ktab.exe utility is then used to export the keytab that will
+ be used by the application server using the following command.
</para>
-
+ <programlisting>
+ <![CDATA[ktab -k c:\testserver.host.keytab -a testserver at KERBEROS.JBOSS.ORG]]></programlisting>
+
+ <figure id="ad-ktab">
+ <title>Export Keytab</title>
+ <mediaobject>
+ <imageobject>
+ <imagedata align="center" fileref="images/ad-ktab.png" />
+ </imageobject>
+ </mediaobject>
+ </figure>
+
+ <para>
+ The resulting keytab should then be used in setting up the host
+ security domain as described previously.
+ </para>
</section>
</chapter>
\ No newline at end of file
More information about the jboss-cvs-commits
mailing list